Gartner Report: 12 Things to Get Right for Successful DevSecOps

The rise of DevOps in IT organizations has been driven by the need for rapid creation and continuous delivery of software. Implemented correctly, DevOps increases the speed of development by embracing a collaborative approach that tears down operational silos. But too often, security and compliance are afterthoughts to the process.

This invaluable report from Gartner highlights the need for security and risk management leaders to adhere to the collaborative, agile nature of DevOps for security testing, and to make it a seamless part of the development process—ultimately making the “Sec” in DevSecOps transparent.

Download the complimentary report


Traditional application security processes focused on complete feedback late in the project via time-consuming gateways are ill-suited to the needs of DevOps."

12 Things to Get Right for Successful DevSecOps

|

Neil Macdonald, Dale Gardner, Dec. 19, 2019

Meera Rao
Senior Director, Product Management
DevOps Solutions, Synopsys

 

Synopsys Point of View

It’s well-acknowledged within development circles that with security comes complexity. And as we all know, complexity is the enemy of the developer. Why? Because navigating it requires time, and time is the most precious of commodities in the SDLC.

So how can organizations get the application security they need without sacrificing the time they can’t afford?

The answer boils down to automation, integration, and training.

As noted in the Gartner report, one of the main things to get right is adapting your security testing tools to the developers, not the other way around. This means automating and integrating tools that run in the background, utilizing the “spell check effect.” That allows developers to find and fix defects while they are coding instead of waiting to address a batch of issues that the security team dumps on them later.

Automation, however, doesn’t mean autonomous. Many kinds of tests are required throughout the SDLC, including static analysis (SAST) and dynamic analysis (DAST), and software compositions analysis (SCA). It also requires manual review, triage, and remediation efforts.

Empowering developers to take on some of the security responsibilities requires more and better training, even if the expectation isn’t for them to become security experts. They need to understand the basics of secure coding and the myriad ways applications can be attacked. The idea is to allow the security team to function more as subject matter experts and consultants, available to interpret automated results, without upending workflows with a pile of changes at the end of the SDLC.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.